Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 29 Nov 1995 15:12:08 -0700 (MST)
From:      Terry Lambert <terry@lambert.org>
To:        p.richards@elsevier.co.uk (Paul Richards)
Cc:        terry@lambert.org, jkh@time.cdrom.com, joerg_wunsch@uriah.heep.sax.de, freebsd-current@FreeBSD.ORG
Subject:   Re: schg flag on make world in -CURRENT
Message-ID:  <199511292212.PAA28788@phaeton.artisoft.com>
In-Reply-To: <199511290956.JAA13824@isis> from "Paul Richards" at Nov 29, 95 09:56:41 am
next in thread | previous in thread | raw e-mail | index | archive | help 
> > The reason that the lines aren't secure by default is that you don't
> > want to have the root password working while a line snooper is catching
> > the packets with it in it.
> 
> I'm not sure that was ever the reason for secure pty's. I think the 
> intention was to prevent brute force attacks on root, which is a known
> account. A packet sniffer can just as easily pick up non-root accounts
> and then have a much better foot in the door for cracking root once on
> the machine.

Brute force attacks were more of a problem without a delay in the login
retry.  Now that there is a delay, the attack frequency is several orders
of magnitude lower, and the danger of a brute for attack is reduced by
the same scale.

> > If the only protection is against brute-forcing root over the net, then
> > it's no protection at all.  This attack is already guarded against by
> > the login attempt timer, attempt count disconnect, and probability
> > function based on the password domain.
> > 
> 
> I see some merit though in preventing root access period from insecure
> pty's. If it was an added security level I'd be in favour of it. There
> are machines where I'd like to disable remote root access completely.

Good idea.  If you bump the secure level, you have to use a secure line
to enter the root password.  This satisfy everyone?


					Terry Lambert
					terry@lambert.org
---
Any opinions in this posting are my own and not those of my present
or previous employers.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199511292212.PAA28788>